Microsoft Azure does not meet the Norwegian Security Act — grid companies should sound the alarm

Published 15 June 2026 · By John-Erik Sogn, Heliwing

Today's unpredictable international situation makes protecting information about critical infrastructure more relevant than ever. Yet a number of Norwegian grid companies store sensitive grid data in Microsoft Azure — a cloud that, in my view, does not meet the requirements of the Security Act.

The Norwegian Security Act and NSM: what the law requires of grid companies

The Norwegian Security Act (sikkerhetsloven) is administered by the Norwegian National Security Authority (NSM) and is designed to protect values worthy of protection — information, information systems, objects and infrastructure of importance to basic national functions. Power supply is one such function. This means that critical infrastructure in the power sector may contain elements that are classified under the law.

Among other things, the law imposes strict requirements on encryption, storage and processing of classified information. Security-graded information must be handled in information systems approved for the purpose, and cryptographic solutions must be approved by NSM. In the event of breaches, the authorities can issue orders — and impose coercive fines, i.e. ongoing daily fines — until the matter is rectified.

When pylon positions become classified information

A single pylon is no secret. But a complete, aggregated overview of every pylon, corridor, junction and weak point in a grid draws a detailed map of critical infrastructure. Aggregated information can have a completely different protective value than the individual pieces on their own. It is precisely this aggregation the Security Act is meant to protect — and it is exactly this kind of dataset that is increasingly being collected, not least through helicopter-based powerline inspection.

Why Microsoft Azure breaches the requirements of the Security Act

In the 1990s I led one of Norway's largest channels for Microsoft volume licensing agreements, and I know the company well from the inside. That is precisely why I am sounding the alarm: the problem is not that Microsoft delivers poor technology — it does not. The problem is jurisdiction and control.

Microsoft is established in the USA and is subject to US legislation, including the CLOUD Act. It gives US authorities the legal basis to demand the disclosure of data from American companies — regardless of whether the data physically sits on a server in Norway or the EU. A "Norwegian" Azure region does not change who ultimately holds legal control over the data.

For classified information this is decisive. You cannot simultaneously meet the Security Act's requirement of Norwegian control and store the data in an infrastructure where a foreign state has legal grounds for access. Azure therefore does not, in my view, meet the Security Act's requirements for storing such data — yet this is exactly what a number of companies use.

Classified data must be stored physically in Norway

A central point is where the data physically resides. For classified information, the physical storage must take place at a geographic location that enables national control — which in practice means in Norway. Without a Norwegian location, there is no real possibility for Norwegian authorities to enforce control over the data.

Microsoft Azure does not store this data in Norway. The very precondition for meeting the Security Act therefore falls away — regardless of how good the encryption or the technology may otherwise be.

The processing software for line inspection must also be approved

Many think only about where the data is stored. But the Security Act also applies to the processing. If the data from a line inspection is classified, then the processing software — the tools that analyse, store and present the inspection data — must also be approved for the purpose. An analysis tool running as a service in Azure inherits the same jurisdictional problems as the storage.

Azure lock-in: popular today, dangerously expensive over time

Microsoft Azure is a popular product. But over time it can become dangerously expensive. Azure is a proprietary system that "locks" the customer into a closed architecture — difficult and costly to get out of again. The barrier to use is high, and operation typically requires support from an in-house IT department and/or an external IT agency.

This is entirely in line with Microsoft's fundamental philosophy: hand out cheap — lock in — expand features — and open the door to extensive use of expensive external consultants and IT agencies.

What we are seeing with Azure is Microsoft's channel strategy striking again — just as in the 1990s and later: get everyone onto a closed, proprietary system they never get out of, but on which the vendor earns handsomely. All controlled by Microsoft in the USA.

Here is how the machinery works: Azure is "pumped" into the market by the IT companies Microsoft has "authorised" as Azure partners — and they profit handsomely from it. The losers are small and medium-sized businesses without their own IT department: a low entry threshold lures them in, the business is locked in, costs rise over time, and there is no real way out. And at the heart of it all: no national control over data security.

Europe has already woken up: Denmark and Germany are leaving Microsoft

This is not a distant theory. Several European authorities have already begun to disconnect from Microsoft — for exactly the same reasons I am warning about here: digital sovereignty, cost and the CLOUD Act.

Denmark: The Ministry of Digital Affairs, led by Minister of Digital Affairs Caroline Stage Olsen, replaced Microsoft Office 365 with open source (LibreOffice) in 2025, and is moving towards Linux. The stated reason: to reduce dependence on foreign technology and regain control over its own data.

The municipalities are following suit: Both Copenhagen and Aarhus are phasing out Microsoft. Danish municipalities' spending on proprietary software rose sharply — in Copenhagen by up to 72% over five years — from DKK 313 million to DKK 538 million between 2018 and 2023. In Aarhus, operating costs were cut from around DKK 800,000 to about DKK 225,000 per year after the switch.

Germany: The state of Schleswig-Holstein is moving around 30,000 workstations from Microsoft to open source, and expects to save tens of millions of euros over time.

When entire state administrations and major cities in neighbouring countries are moving out of Microsoft for the sake of sovereignty — why should the most sensitive data about Norwegian power infrastructure sit in Microsoft Azure?

The Security Act and Azure: what grid companies should do now

• Carry out a value assessment: Are pylon positions, corridors and inspection data, taken together, classified? Take the question to NSM if you are in doubt.
• Map where the data actually resides physically, and require storage in Norway at a location that enables national control — not just which "region" has been selected.
• Assess the processing software, not just the storage — the whole chain must hold.
• Choose solutions with genuine Norwegian control for anything that is classified.

The international situation is unpredictable, and which national legislation applies in the country where the supplier is established ought to ring a few bells at Norwegian grid companies currently building on Microsoft Azure. Within the Heliwing system we believe data about Norwegian power infrastructure belongs under Norwegian control.